So I've been slowly segmenting my network into various VLANs. We have ~260 end user devices with servers, printers, etc.

Something I'm not clear on is how to monitor/speed up traffic across the network. For security purposes, I'm working on getting some ACLs set up to block unimportant traffic, but I'm not entirely clear if that's going to do much for performance overall, as that'll likely bump up the CPU time on my switches.

Also, it's hard to find what ports/traffic to block.

Is there any form of a suggestion for this? Website, howto etc? We are a nearly 100% windows environment.

This person is a verified professional.

Most traffic will be going to the internet. Our main application is web based (in the cloud) using a fat client. The internal traffic will be the typical things - domain controller traffic, DHCP, DNS, printers, file servers, etc.

This person is a verified professional.

Most traffic will be going to the internet. Our main application is web based (in the cloud) using a fat client. The internal traffic will be the typical things - domain controller traffic, DHCP, DNS, printers, file servers, etc.

There isn't much you can optimize there. You definitely want ACLs and VLANs for security but if your clients are running at 300Mbs on the LAN and your ISP is giving you 50Mbs, for example, that's as fast as it's going to get.

This person is a verified professional.

Yeah I get that. The piece I'm not finding/understanding is often times when we have some slowness in the web based app, the vendor is quick to say "you're having network issue" (of course). I'd like to be able clean up any ancillary traffic in our internal network if possible, and then have a mechanism to measure it to be able to rule this out.

Also, a better method to figure out what should and shouldn't be able to be used in each VLAN (ie appropriate ports, etc).

This person is a verified professional.

There's no way any local traffic can affect your internet, unless you are overloading ports on the 2960-X. The 4500-X can certainly keep up with anything you are throwing at it. The ACLs on the 4500-X are done in hardware, so you shouldn't see any effect on overall CPU by using ACL. You can look to your router/firewall to throttle internet traffic that isn't related to your production web client traffic.

What you may want to look into is running Application Visibility Control (AVC) on your Firewall or Router. This will allow you to see what type of applications are going out to the Internet as well as block them.

This person is a verified professional.

I think I've found what I'm looking for. The thread is going in a direction that wasn't intended, as I was looking for some suggestions on ACLs, not worrying about AVC, traffic out to the internet etc. I think I have enough information from some other ACL looking I found.

This person is a verified professional.

Your firewall is first place to start with. Assuming that your firewall is capable of reporting about to inside users/IP, destinations url/ip and protocol with built-in or add-on plugin this the best place to look for information.

Next is your topology - there could be significant amount of traffic between your VLANs that you might not be aware of. Is your core routing maybe done over single 1G interface? Using tool like Observium and SNMP protocol should give you pretty good information about your traffic at peak time.

You also need to make sure that your users are not using ti much services like Dropbox. If their outbound sync occupies most of outbound bandwidth, there will be no room for other web requests and they might get dropped. In we have asymmetrical line where it is more critical to control outbound traffic then inbound traffic.

When supported by network gateway device it is smart to limit outbound bandwidth fir certain protocols and enszre that request messages go through ( yes QoS).

Hope it helps, it will not harm for sure ;)

0

This topic has been locked by an administrator and is no longer open for commenting.